nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)

Browse source 
Netlink support of extended packet number cipher suites,
allows adding and updating XPN macsec interfaces.

Added support in:
    * Creating interfaces with GCM-AES-XPN-128 and GCM-AES-XPN-256 suites.
    * Setting and getting 64bit packet numbers with of SAs.
    * Setting (only on SA creation) and getting ssci of SAs.
    * Setting salt when installing a SAK.

Added 2 cipher suite identifiers according to 802.1AE-2018 table 14-1:
    * MACSEC_CIPHER_ID_GCM_AES_XPN_128
    * MACSEC_CIPHER_ID_GCM_AES_XPN_256

In addition, added 2 new netlink attribute types:
    * MACSEC_SA_ATTR_SSCI
    * MACSEC_SA_ATTR_SALT

Depends on: macsec: Support XPN frame handling - IEEE 802.1AEbw.

Signed-off-by: Era Mayflower <mayflowerera@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Era Mayflower 2020-03-09 19:47:02 +00:00 committed by David S. Miller
parent a21ecf0e03
commit 48ef50fa86
3 changed files with 157 additions and 15 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

161
drivers/net/macsec.c
View file

@ -240,11 +240,13 @@ static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
#define MACSEC_PORT_ES (htons(0x0001)) #define MACSEC_PORT_ES (htons(0x0001))
#define MACSEC_PORT_SCB (0x0000) #define MACSEC_PORT_SCB (0x0000)
#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL) #define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
#define MACSEC_UNDEF_SSCI ((__force ssci_t)0xffffffff)
#define MACSEC_GCM_AES_128_SAK_LEN 16 #define MACSEC_GCM_AES_128_SAK_LEN 16
#define MACSEC_GCM_AES_256_SAK_LEN 32 #define MACSEC_GCM_AES_256_SAK_LEN 32
#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN #define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
#define DEFAULT_XPN false
#define DEFAULT_SEND_SCI true #define DEFAULT_SEND_SCI true
#define DEFAULT_ENCRYPT false #define DEFAULT_ENCRYPT false
#define DEFAULT_ENCODING_SA 0 #define DEFAULT_ENCODING_SA 0
@ -1311,6 +1313,7 @@ static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
return PTR_ERR(rx_sa->key.tfm); return PTR_ERR(rx_sa->key.tfm);
} }
rx_sa->ssci = MACSEC_UNDEF_SSCI;
rx_sa->active = false; rx_sa->active = false;
rx_sa->next_pn = 1; rx_sa->next_pn = 1;
refcount_set(&rx_sa->refcnt, 1); refcount_set(&rx_sa->refcnt, 1);
@ -1409,6 +1412,7 @@ static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
return PTR_ERR(tx_sa->key.tfm); return PTR_ERR(tx_sa->key.tfm);
} }
tx_sa->ssci = MACSEC_UNDEF_SSCI;
tx_sa->active = false; tx_sa->active = false;
refcount_set(&tx_sa->refcnt, 1); refcount_set(&tx_sa->refcnt, 1);
spin_lock_init(&tx_sa->lock); spin_lock_init(&tx_sa->lock);
@ -1452,6 +1456,16 @@ static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value,
return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr); return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr);
} }
static ssci_t nla_get_ssci(const struct nlattr *nla)
{
return (__force ssci_t)nla_get_u32(nla);
}
static int nla_put_ssci(struct sk_buff *skb, int attrtype, ssci_t value)
{
return nla_put_u32(skb, attrtype, (__force u64)value);
}
static struct macsec_tx_sa *get_txsa_from_nl(struct net *net, static struct macsec_tx_sa *get_txsa_from_nl(struct net *net,
struct nlattr **attrs, struct nlattr **attrs,
struct nlattr **tb_sa, struct nlattr **tb_sa,
@ -1567,11 +1581,14 @@ static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = {
static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = { static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
[MACSEC_SA_ATTR_AN] = { .type = NLA_U8 }, [MACSEC_SA_ATTR_AN] = { .type = NLA_U8 },
[MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 }, [MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 },
[MACSEC_SA_ATTR_PN] = { .type = NLA_U32 }, [MACSEC_SA_ATTR_PN] = { .type = NLA_MIN_LEN, .len = 4 },
[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
.len = MACSEC_KEYID_LEN, }, .len = MACSEC_KEYID_LEN, },
[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
.len = MACSEC_MAX_KEY_LEN, }, .len = MACSEC_MAX_KEY_LEN, },
[MACSEC_SA_ATTR_SSCI] = { .type = NLA_U32 },
[MACSEC_SA_ATTR_SALT] = { .type = NLA_BINARY,
.len = MACSEC_SALT_LEN, },
}; };
static const struct nla_policy macsec_genl_offload_policy[NUM_MACSEC_OFFLOAD_ATTR] = { static const struct nla_policy macsec_genl_offload_policy[NUM_MACSEC_OFFLOAD_ATTR] = {
@ -1644,7 +1661,8 @@ static bool validate_add_rxsa(struct nlattr **attrs)
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
return false; return false;
if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0) if (attrs[MACSEC_SA_ATTR_PN] &&
*(u64 *)nla_data(attrs[MACSEC_SA_ATTR_PN]) == 0)
return false; return false;
if (attrs[MACSEC_SA_ATTR_ACTIVE]) { if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
@ -1666,6 +1684,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
struct macsec_rx_sc *rx_sc; struct macsec_rx_sc *rx_sc;
struct macsec_rx_sa *rx_sa; struct macsec_rx_sa *rx_sa;
unsigned char assoc_num; unsigned char assoc_num;
int pn_len;
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
int err; int err;
@ -1698,6 +1717,29 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
return -EINVAL; return -EINVAL;
} }
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
pr_notice("macsec: nl: add_rxsa: bad pn length: %d != %d\n",
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
rtnl_unlock();
return -EINVAL;
}
if (secy->xpn) {
if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) {
rtnl_unlock();
return -EINVAL;
}
if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) {
pr_notice("macsec: nl: add_rxsa: bad salt length: %d != %d\n",
nla_len(tb_sa[MACSEC_SA_ATTR_SALT]),
MACSEC_SA_ATTR_SALT);
rtnl_unlock();
return -EINVAL;
}
}
rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]); rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]);
if (rx_sa) { if (rx_sa) {
rtnl_unlock(); rtnl_unlock();
@ -1720,7 +1762,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
if (tb_sa[MACSEC_SA_ATTR_PN]) { if (tb_sa[MACSEC_SA_ATTR_PN]) {
spin_lock_bh(&rx_sa->lock); spin_lock_bh(&rx_sa->lock);
rx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
spin_unlock_bh(&rx_sa->lock); spin_unlock_bh(&rx_sa->lock);
} }
@ -1750,6 +1792,12 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
goto cleanup; goto cleanup;
} }
if (secy->xpn) {
rx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]);
nla_memcpy(rx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT],
MACSEC_SALT_LEN);
}
nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa); rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
@ -1874,6 +1922,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
struct macsec_tx_sc *tx_sc; struct macsec_tx_sc *tx_sc;
struct macsec_tx_sa *tx_sa; struct macsec_tx_sa *tx_sa;
unsigned char assoc_num; unsigned char assoc_num;
int pn_len;
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
bool was_operational; bool was_operational;
int err; int err;
@ -1906,6 +1955,29 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
return -EINVAL; return -EINVAL;
} }
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
pr_notice("macsec: nl: add_txsa: bad pn length: %d != %d\n",
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
rtnl_unlock();
return -EINVAL;
}
if (secy->xpn) {
if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) {
rtnl_unlock();
return -EINVAL;
}
if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) {
pr_notice("macsec: nl: add_txsa: bad salt length: %d != %d\n",
nla_len(tb_sa[MACSEC_SA_ATTR_SALT]),
MACSEC_SA_ATTR_SALT);
rtnl_unlock();
return -EINVAL;
}
}
tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]); tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]);
if (tx_sa) { if (tx_sa) {
rtnl_unlock(); rtnl_unlock();
@ -1927,7 +1999,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
} }
spin_lock_bh(&tx_sa->lock); spin_lock_bh(&tx_sa->lock);
tx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
spin_unlock_bh(&tx_sa->lock); spin_unlock_bh(&tx_sa->lock);
if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
@ -1958,6 +2030,12 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
goto cleanup; goto cleanup;
} }
if (secy->xpn) {
tx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]);
nla_memcpy(tx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT],
MACSEC_SALT_LEN);
}
nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa); rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa);
@ -2164,7 +2242,9 @@ static bool validate_upd_sa(struct nlattr **attrs)
{ {
if (!attrs[MACSEC_SA_ATTR_AN] || if (!attrs[MACSEC_SA_ATTR_AN] ||
attrs[MACSEC_SA_ATTR_KEY] || attrs[MACSEC_SA_ATTR_KEY] ||
attrs[MACSEC_SA_ATTR_KEYID]) attrs[MACSEC_SA_ATTR_KEYID] ||
attrs[MACSEC_SA_ATTR_SSCI] ||
attrs[MACSEC_SA_ATTR_SALT])
return false; return false;
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
@ -2214,9 +2294,19 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
} }
if (tb_sa[MACSEC_SA_ATTR_PN]) { if (tb_sa[MACSEC_SA_ATTR_PN]) {
int pn_len;
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
pr_notice("macsec: nl: upd_txsa: bad pn length: %d != %d\n",
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
rtnl_unlock();
return -EINVAL;
}
spin_lock_bh(&tx_sa->lock); spin_lock_bh(&tx_sa->lock);
prev_pn = tx_sa->next_pn_halves; prev_pn = tx_sa->next_pn_halves;
tx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
spin_unlock_bh(&tx_sa->lock); spin_unlock_bh(&tx_sa->lock);
} }
@ -2300,9 +2390,19 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
} }
if (tb_sa[MACSEC_SA_ATTR_PN]) { if (tb_sa[MACSEC_SA_ATTR_PN]) {
int pn_len;
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
pr_notice("macsec: nl: upd_rxsa: bad pn length: %d != %d\n",
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
rtnl_unlock();
return -EINVAL;
}
spin_lock_bh(&rx_sa->lock); spin_lock_bh(&rx_sa->lock);
prev_pn = rx_sa->next_pn_halves; prev_pn = rx_sa->next_pn_halves;
rx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
spin_unlock_bh(&rx_sa->lock); spin_unlock_bh(&rx_sa->lock);
} }
@ -2749,10 +2849,10 @@ static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
switch (secy->key_len) { switch (secy->key_len) {
case MACSEC_GCM_AES_128_SAK_LEN: case MACSEC_GCM_AES_128_SAK_LEN:
csid = MACSEC_DEFAULT_CIPHER_ID; csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID;
break; break;
case MACSEC_GCM_AES_256_SAK_LEN: case MACSEC_GCM_AES_256_SAK_LEN:
csid = MACSEC_CIPHER_ID_GCM_AES_256; csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256;
break; break;
default: default:
goto cancel; goto cancel;
@ -2843,6 +2943,8 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev,
for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) { for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) {
struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]); struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]);
struct nlattr *txsa_nest; struct nlattr *txsa_nest;
u64 pn;
int pn_len;
if (!tx_sa) if (!tx_sa)
continue; continue;
@ -2853,9 +2955,18 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev,
goto nla_put_failure; goto nla_put_failure;
} }
if (secy->xpn) {
pn = tx_sa->next_pn;
pn_len = MACSEC_XPN_PN_LEN;
} else {
pn = tx_sa->next_pn_halves.lower;
pn_len = MACSEC_DEFAULT_PN_LEN;
}
if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
nla_put_u32(skb, MACSEC_SA_ATTR_PN, tx_sa->next_pn_halves.lower) || nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) ||
nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) || nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) ||
(secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, tx_sa->ssci)) ||
nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) { nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) {
nla_nest_cancel(skb, txsa_nest); nla_nest_cancel(skb, txsa_nest);
nla_nest_cancel(skb, txsa_list); nla_nest_cancel(skb, txsa_list);
@ -2928,6 +3039,8 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev,
for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) { for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) {
struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]); struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]);
struct nlattr *rxsa_nest; struct nlattr *rxsa_nest;
u64 pn;
int pn_len;
if (!rx_sa) if (!rx_sa)
continue; continue;
@ -2957,9 +3070,18 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev,
} }
nla_nest_end(skb, attr); nla_nest_end(skb, attr);
if (secy->xpn) {
pn = rx_sa->next_pn;
pn_len = MACSEC_XPN_PN_LEN;
} else {
pn = rx_sa->next_pn_halves.lower;
pn_len = MACSEC_DEFAULT_PN_LEN;
}
if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
nla_put_u32(skb, MACSEC_SA_ATTR_PN, rx_sa->next_pn_halves.lower) || nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) ||
nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) || nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) ||
(secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, rx_sa->ssci)) ||
nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) { nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) {
nla_nest_cancel(skb, rxsa_nest); nla_nest_cancel(skb, rxsa_nest);
nla_nest_cancel(skb, rxsc_nest); nla_nest_cancel(skb, rxsc_nest);
@ -3503,9 +3625,19 @@ static int macsec_changelink_common(struct net_device *dev,
case MACSEC_CIPHER_ID_GCM_AES_128: case MACSEC_CIPHER_ID_GCM_AES_128:
case MACSEC_DEFAULT_CIPHER_ID: case MACSEC_DEFAULT_CIPHER_ID:
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
secy->xpn = false;
break; break;
case MACSEC_CIPHER_ID_GCM_AES_256: case MACSEC_CIPHER_ID_GCM_AES_256:
secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
secy->xpn = false;
break;
case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
secy->xpn = true;
break;
case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
secy->xpn = true;
break; break;
default: default:
return -EINVAL; return -EINVAL;
@ -3695,6 +3827,7 @@ static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
secy->validate_frames = MACSEC_VALIDATE_DEFAULT; secy->validate_frames = MACSEC_VALIDATE_DEFAULT;
secy->protect_frames = true; secy->protect_frames = true;
secy->replay_protect = false; secy->replay_protect = false;
secy->xpn = DEFAULT_XPN;
secy->sci = sci; secy->sci = sci;
secy->tx_sc.active = true; secy->tx_sc.active = true;
@ -3824,6 +3957,8 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
switch (csid) { switch (csid) {
case MACSEC_CIPHER_ID_GCM_AES_128: case MACSEC_CIPHER_ID_GCM_AES_128:
case MACSEC_CIPHER_ID_GCM_AES_256: case MACSEC_CIPHER_ID_GCM_AES_256:
case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
case MACSEC_DEFAULT_CIPHER_ID: case MACSEC_DEFAULT_CIPHER_ID:
if (icv_len < MACSEC_MIN_ICV_LEN || if (icv_len < MACSEC_MIN_ICV_LEN ||
icv_len > MACSEC_STD_ICV_LEN) icv_len > MACSEC_STD_ICV_LEN)
@ -3897,10 +4032,10 @@ static int macsec_fill_info(struct sk_buff *skb,
switch (secy->key_len) { switch (secy->key_len) {
case MACSEC_GCM_AES_128_SAK_LEN: case MACSEC_GCM_AES_128_SAK_LEN:
csid = MACSEC_DEFAULT_CIPHER_ID; csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID;
break; break;
case MACSEC_GCM_AES_256_SAK_LEN: case MACSEC_GCM_AES_256_SAK_LEN:
csid = MACSEC_CIPHER_ID_GCM_AES_256; csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256;
break; break;
default: default:
goto nla_put_failure; goto nla_put_failure;

3
include/net/macsec.h
View file

@ -11,6 +11,9 @@
#include <uapi/linux/if_link.h> #include <uapi/linux/if_link.h>
#include <uapi/linux/if_macsec.h> #include <uapi/linux/if_macsec.h>
#define MACSEC_DEFAULT_PN_LEN 4
#define MACSEC_XPN_PN_LEN 8
#define MACSEC_SALT_LEN 12 #define MACSEC_SALT_LEN 12
#define MACSEC_NUM_AN 4 /* 2 bits for the association number */ #define MACSEC_NUM_AN 4 /* 2 bits for the association number */

8
include/uapi/linux/if_macsec.h
View file

@ -22,9 +22,11 @@
#define MACSEC_KEYID_LEN 16 #define MACSEC_KEYID_LEN 16
/* cipher IDs as per IEEE802.1AEbn-2011 */ /* cipher IDs as per IEEE802.1AE-2018 (Table 14-1) */
#define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL #define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL
#define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL #define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL
#define MACSEC_CIPHER_ID_GCM_AES_XPN_128 0x0080C20001000003ULL
#define MACSEC_CIPHER_ID_GCM_AES_XPN_256 0x0080C20001000004ULL
/* deprecated cipher ID for GCM-AES-128 */ /* deprecated cipher ID for GCM-AES-128 */
#define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL #define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL
@ -88,11 +90,13 @@ enum macsec_sa_attrs {
MACSEC_SA_ATTR_UNSPEC, MACSEC_SA_ATTR_UNSPEC,
MACSEC_SA_ATTR_AN, /* config/dump, u8 0..3 */ MACSEC_SA_ATTR_AN, /* config/dump, u8 0..3 */
MACSEC_SA_ATTR_ACTIVE, /* config/dump, u8 0..1 */ MACSEC_SA_ATTR_ACTIVE, /* config/dump, u8 0..1 */
MACSEC_SA_ATTR_PN, /* config/dump, u32 */ MACSEC_SA_ATTR_PN, /* config/dump, u32/u64 (u64 if XPN) */
MACSEC_SA_ATTR_KEY, /* config, data */ MACSEC_SA_ATTR_KEY, /* config, data */
MACSEC_SA_ATTR_KEYID, /* config/dump, 128-bit */ MACSEC_SA_ATTR_KEYID, /* config/dump, 128-bit */
MACSEC_SA_ATTR_STATS, /* dump, nested, macsec_sa_stats_attr */ MACSEC_SA_ATTR_STATS, /* dump, nested, macsec_sa_stats_attr */
MACSEC_SA_ATTR_PAD, MACSEC_SA_ATTR_PAD,
MACSEC_SA_ATTR_SSCI, /* config/dump, u32 - XPN only */
MACSEC_SA_ATTR_SALT, /* config, 96-bit - XPN only */
__MACSEC_SA_ATTR_END, __MACSEC_SA_ATTR_END,
NUM_MACSEC_SA_ATTR = __MACSEC_SA_ATTR_END, NUM_MACSEC_SA_ATTR = __MACSEC_SA_ATTR_END,
MACSEC_SA_ATTR_MAX = __MACSEC_SA_ATTR_END - 1, MACSEC_SA_ATTR_MAX = __MACSEC_SA_ATTR_END - 1,